PADS(8)
NAME
pads - Passive Asset Detection System
SYNOPSIS
pads <DhUvV> <-c file > <-d file > <-g group > <-i interface > <-n net- work(s) > <-p file > <-r file > <-u file > <-w file > <expression>
DESCRIPTION
PADS is a libpcap based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing
context to IDS alerts.
Goals:
- - Passive: Records and identifies traffic seen on a network without
- actively "scanning" a system. There will never be a packet sent
- from
- the pads application.
- - Portable: Has the ability to be placed easily on a remote system.
- Does not require additional external libraries other than those
associated with libpcap. - - Lightweight: Logging is sent to a simple CSV file. There is no need
- for a database or other data repository installed on the local
machine. All correlation is done outside of the pads program.
OPTIONS
-h Display help / usage information.
-D Run PADS in the background (daemon mode).
- -d file
- Dump banner data into a libpcap formatted file. This feature will dump the matched packet or the first 4 packets of an unmatched connection into a specified file. This can be used to further identify a service and also aid with signature development.
- Please keep in mind that this feature must be compiled into the application in order to use it. This can be done by adding
- -g group
- This switch allows you to specify a group that PADS will drop to after the libpcap interface has been initialized.
- -h Display help
- -i interface
- Specify an interface to be used.
- -n network list
- Specify a set of networks to be monitored. Only assets that exist within these networks will be recorded. The networks should be specified in the following format: 10.10.10.0/24,192.168.0.0/16 .
- -p pid file
- This switch allows you to specify a PID file to be used in conjunction with daemon (-D) mode.
- -r file
- Read packets from a libpcap formatted file.
- -u user
- This switch allows you to specify a user that PADS will drop to after the libpcap interface has been initialized.
- -w file
- Dump data into a file other than assets.csv.
- expression
- selects which packets will be processed. Please see tcpdump(1) for details on the libpcap primitives.
SEE ALSO
pads.conf(8), pads-report(8), pads-archiver(8), tcpdump(8), pcre(3)
COPYRIGHT
Copyright (C) 2004 Matt Shelton <matt@mattshelton.com>
BUGS
Please send bug reports to the author.
AUTHORS
- Matt Shelton <matt@mattshelton.com>